Computer software refers to a set of a series of computer data and instructions that are organized in a specific sequence. Malware appears shortly after emergence of the computer software. A development purpose of legitimate software is to enhance and extend an operation capability of a computer. However, a development purpose of malware is to steal and destroy computer data. A conventional malware detection method is implemented based on feature code comparison. However, malware usually evades the feature code comparison by means of morphing, packing, and the like. The morphing refers to adding a large quantity of obfuscated code to program code of software to invalidate an original feature code. The packing refers to encrypting and packing program code of software to invalidate an original feature code.
To avoid the foregoing defect, a method for detecting malware using a sandbox technology is proposed. A sandbox is a software isolation and running mechanism, and a purpose of the sandbox is to limit permission of untrusted software. The sandbox technology is frequently used to execute untested or untrusted software. To avoid a case in which the untrusted software may destroy running of other software, the sandbox technology provides virtualized disk, memory, and network resources for the untrusted software, so as to protect an original status of an operating system. In a specific implementation process of the sandbox technology, all files and registry entries that are created, modified, and deleted by the untrusted software when the untrusted software is running in a sandbox are virtualized and redirected to a virtual operating system. Therefore, all operations of the untrusted software are virtual, and a real file system and a real registry are not modified, which can ensure that malware carrying a virus cannot modify a key part of an operating system and cannot destroy the operating system.
A specific operating principle of detecting malware using the sandbox technology is to simulate a completely normal environment for untrusted software to run, and record all operations performed by the untrusted software when the untrusted software runs. The operations are matched with a malicious behavior database. If a matching malicious behavior is identified, it can be considered that the untrusted software is malware. Because the method can directly enable the malware to run in the sandbox, the malware can be prevented from evading detection by means of morphing, packing, and the like, which may improve accuracy of malware detection. Compared with the conventional detection method, a detection capability of the method for detecting malware using a sandbox is greatly improved. In addition, because the method for detecting malware using a sandbox uses a universal malicious behavior database as a matching manner, a problem that a base quantity of malicious samples of the same type is extremely large may be avoided.
However, in practical application, monitoring for an extremely long time is unpractical due to a limitation of a hardware resource and a software specification. The sandbox can generally monitor only behaviors performed within several minutes after the untrusted software starts to run. Due to this limitation, the malware adds a delay operation before an outbreak of a malicious behavior. For example, a long-time Sleep statement is added. The statement may delay some operations in a software running process for tens of minutes or even several hours, so as to evade detection. Therefore, a defect of relatively low accuracy exists in a current malware detection method.